Privacy Policy
Last updated: May 12, 2026
MileStem ("we," "our," or "us") is a practice management platform developed and operated by Gregory Holdings of Indiana LLC. This Privacy Policy describes how we collect, use, and protect information when you use MileStem at milestem.app.
MileStem is designed for Early Intervention and Applied Behavior Analysis (ABA) therapy providers. We are committed to protecting the privacy and security of all information entrusted to us, including Protected Health Information (PHI) as defined under HIPAA.
1. Information We Collect
We collect the following categories of information:
- Account information: Name, email address, role, and organization affiliation of registered users.
- Client records: Information about clients served by your organization, including names, dates of birth, addresses, guardian information, and service records. This information may constitute Protected Health Information under HIPAA.
- Visit and session documentation: Visit notes, session summaries, signatures, and related clinical documentation.
- Forms and consents: Completed state-required forms, consent documents, and signatures.
- Google Calendar data: When you choose to connect your Google Calendar, we access your calendar events solely to display your schedule within MileStem and to create or update calendar events corresponding to scheduled visits. See Section 4 for full details.
- Usage data: Log data, audit trails, and activity records generated through your use of the platform.
2. How We Use Your Information
- Provide, operate, and maintain the MileStem platform
- Enable visit documentation, form completion, and digital signature workflows
- Facilitate communication between providers and families through the platform
- Generate and store clinical documentation and state-required forms
- Sync scheduled visits with connected Google Calendar accounts
- Maintain audit logs for compliance and security purposes
- Provide customer support
We do not use your information for advertising, marketing to third parties, or any purpose unrelated to the operation of the MileStem platform.
3. How We Share Your Information
We do not sell, rent, or trade your personal information or Protected Health Information to any third party.
- Service providers: We use Supabase for database and storage services, and Vercel for application hosting. These providers process data on our behalf under data processing agreements consistent with HIPAA requirements.
- Legal requirements: We may disclose information if required by law, court order, or government authority.
- With your consent: We may share information in other circumstances with your explicit consent.
4. Google Calendar Integration
MileStem offers an optional integration with Google Calendar. If you choose to connect your Google Calendar account:
- What we access: We request access to read your Google Calendar events and to create or update calendar events on your behalf.
- Why we access it: Google Calendar data is used solely to display your existing schedule within MileStem and to automatically create calendar events when visits are scheduled through the platform.
- What we do not do: We do not read, store, share, transfer, or use your Google Calendar data for any purpose other than the scheduling features described above. We do not use Google Calendar data for advertising, analytics, or any secondary purpose.
- Data storage: We store OAuth access and refresh tokens securely to maintain your calendar connection. These tokens are used only to make authorized API calls on your behalf.
- Revoking access: You may disconnect your Google Calendar at any time from Settings within MileStem, or directly at myaccount.google.com/permissions.
Our use of Google Calendar data complies with the Google API Services User Data Policy, including the Limited Use requirements.
5. HIPAA and Protected Health Information
- All data is encrypted in transit using TLS and at rest
- Access to PHI is restricted by role-based permissions
- Each organization's data is isolated from all other organizations on the platform
- Audit logs track access to and modification of PHI
- Signatures and documents are stored in private, access-controlled storage
Organizations using MileStem to store or process PHI should ensure they have an appropriate Business Associate Agreement (BAA) in place.
6. Data Retention
We retain your data for as long as your account is active or as needed to provide services. Upon account termination, we will delete or anonymize your data within 90 days, except where retention is required by law.
7. Your Rights
- Access the personal information we hold about you
- Request correction of inaccurate information
- Request deletion of your information
- Receive a copy of your information in a portable format
8. Security
We implement industry-standard technical and organizational measures to protect your information, including encryption, access controls, and regular security reviews.
9. Children's Privacy
MileStem is a platform for healthcare providers, not for direct use by children. While the platform processes records related to child clients as part of its clinical documentation functions, it is not directed at children and does not knowingly collect personal information directly from children.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes by email or through a notice within the platform.
11. Contact Us
- Company: Gregory Holdings of Indiana LLC
- Platform: MileStem — milestem.app